Users want fast access to applications without having to deal with a dozen verification
gateways before they can start working. However, the more sensitive the data, the
more complicated the authentication process has to be to protect the organization. This
complicated process not only frustrates users, it takes a toll on the IT staff and costs the
organization time and money.
Most of us see password proliferation as a nightmare, but Hitachi ID Systems sees it as
an opportunity for automation. Recently, ITSJ talked to Idan Shoham, Chief Technology
Officer of Hitachi ID Systems, about the password and identity management challenges
organizations face and some of the cutting edge solutions that can save time, money,
and a lot of frustration at both ends of the login process.
IT Security Journal: Let’s start with users and their frustrations with identity and access
management. How many passwords would an employee of a large organization have on
average – just for business applications?
Idan Shoham: In most cases, the number is actually declining as organizations make
use of Active Directory, Web single sign-on and federation. It used to be that employees
of medium or large organizations had 10 to 20 passwords, but today it’s more like five to
10. Interestingly, the thing that’s driving it back up is SaaS (Software as a Service), but
federation will gradually make that come down again as well.
ITSJ: If a password is complicated enough to be secure, then it’s hard to remember. In
reality, how are people managing that many instances of complex data strings and what
kinds of problems do their creative solutions pose for the IT department in terms of time
management, service to users, security and compliance risks?
IS: Well, the main problems with Secure Robe passwords is that given a chance, users will do bad things. They’ll choose trivial passwords, never change them, write them down, go through simple sequences, et cetera. That’s obviously a problem for security, risk management and regulatory compliance. If I can impersonate someone in a sensitive position, then I can violate whatever controls depend on their good behavior, and that’s the security problem – bad behavior leads to weak authentication.
The cost and productivity problem is on the other side of the coin – people who do try to
be good corporate citizens but have too many passwords can’t remember them, so their
work is interrupted and they generate high help desk call volume as a result. Automation
helps users be good corporate citizens, ensures security, deters work interruptions and
keeps help desk call volume under control.
ITSJ: What kind of problems does it pose for the business when employees are
overwhelmed by password proliferation and the Help Desk is overwhelmed by reset
requests, onboarding and deactivations?
IS: That’s simple. Cost for IT and loss of productivity for users. Which is why most
medium to large organizations invest in technology to help users manage their
credentials more efficiently and securely.
ITSJ: What other kinds of challenges are businesses dealing with due to increasing
access management requirements and tighter regulations?
IS: Passwords are only part of the problem; access rights have to be provisioned when
someone is hired and then again when they move around in the organization. Auditors
need visibility into who has what access, how they got it, if and how they use it, and so
on. Then, organizations need policies regarding what sorts of rights are job-appropriate
and what sorts of rights are mutually exclusive. In technical terms, we call this role-
based access control and segregation of duties.
Another big challenge is efficient onboarding and, for security reasons, reliable
deactivation. You don’t want someone who doesn’t work for your organization anymore
having access to data – especially if they aren’t happy with you. In technical terms, we
think of these problems as management and governance of identities, credentials and
security entitlements.
ITSJ: How does automating the process benefit the business – and is it safe? Is it
compliant?
IS: Our whole business is built around helping organizations better manage identities,
entitlements and credentials. The whole point is to simultaneously improve security,
lower IT operating costs and improve user service. That may sound like a lot to ask, but
it’s really not – that’s what automation is for, after all. As for compliance, automation is a
lot more secure than a human performing these mundane tasks day after day.
ITSJ: On the business side, let’s talk about your product, Identity Manager, and what
kind of improvements it offers an organization.
IS: Identity Manger is intended to help organizations manage identities and entitlements.
Different customers use Identity Manager in different ways. For example, some monitor
one or more HR systems and automatically create and tear down user accounts and
others access rights while others use it as a white pages app – to search for users by
name, department, location, job code, group memberships and more.
It can also be used to request access changes – onboard and deactivate contractors,
request applications or folder access and so on. Quite a few of our customers use it
to manage periodic access certification and to enforce policies around ID naming and
segregation of duties. Some use it to enable auditors to answer their own questions
about who can access what.
It moves the change management processes from a central IT business model to a self-
service, automated business model.
ITSJ: What’s “privileged access” and how does Privileged Access Manager protect an
organization and secure data?
IS: Well, on pretty much every system and application, you have at least one
administrative type of account that’s used to change settings, add or remove users
and so on. This is the Administrator account on Windows, root on Unix or Linux, dba
on Oracle and so on. These accounts have elevated security rights, so if they are
abused, they can cause a lot of harm – service interruption, unauthorized transactions,
compromised privacy and things like that. Serious stuff.
Most systems also have other types of privileged accounts used by one program to
connect to or run another program. So there are really at least two types of privileged
accounts: admin accounts used by people and service or application accounts used
by automation. You have to secure these accounts because they are so much more
dangerous.
Our Privileged Access Manager product secures privileged accounts. It can find systems
and accounts on the network, scramble passwords, control and audit who can use these
accounts, help organizations to replace plain text passwords in configuration files with
secure processes and lots more.
ITSJ: Password Manager promises relief and self-service capabilities to beleaguered
users at any level of the organization. How does it work?
IS: If I could call this product anything, I’d call it Credential Manager, but I’m afraid
not everyone would understand its functionality with that name! I say that because
Password Manager can manage any sort of credentials that a user might have at work.
Certainly his passwords, but also security questions, and his smart card, and any one-
time password device he may have, the password the user types to unlock his encrypted
PC, and even a voice biometric sample or his mobile phone, if those are used as
authentication factors.
Password Manager enables a user to sign in using one credential and then manage
other credentials. For example, you can sign in with one password, then choose a new
password and the new password is applied to all your login accounts. Also, you can
reset a forgotten password or clear a lockout, sign in with a PIN sent to your phone,
or answer some security questions, or use your one-time password device, and then
choose a new password for yourself. You can also enroll security questions – sign in with
your current password and then fill in questions and answers in an enrollment form.
The cool thing is that it’s available anywhere. From your smart phone, or your tablet, or
office PC. Imagine that you’re sitting at Starbucks, pop open your corporate laptop and
realize that you had changed your Windows login password back at the office and have
forgotten it. We can help you, there and then, with a self-service password reset. I don’t
think any other product can do that kind of thing.
ITSJ: There’s something interesting about your products that is different than anything
else on the market and it has to do with social controls. Tell me more about that.
IS: Think about your personal information – your home phone number, your address,
where you sit in the building – who should be able to see that information? Certainly
your manager should be able to see it – what if you don’t show up for work and they
want to call and see if you’re okay? And, you should be able to see it and change it. It’s
reasonable to expose somewhat personal information to people with a legitimate need to
know. On the other hand, employees of the same company who aren’t related to you in
any way probably should not be able to see that information.
But, you shouldn’t be able to see something like a scheduled termination date. Hopefully
that’s never needed, but there is a place for that – and your manager should be able to
see that information about you, but not for himself. And HR should be able to see it for
everybody, but not for other HR people – and maybe not for executives.
We think of these situations as relationship-based access control. You can’t define those
access rights through a role. We’ve designed all of our products to be relationship based
– to have a social approach. Without it, you’ve got some pretty serious limitations. You
either have to write a bunch of code to control access control logic or you just have to
deal with not having the information that you need. This is new in the market.
Also, we have fewer products than our competitors. Not because our products do fewer
things but because we think that all these different capabilities go hand in hand.
As an example, on a regular basis, a lot of organizations need to do access
recertification where a manager has to evaluate his employees’ access and remove
what is no longer appropriate. We automate that. We think you need a product that does
additive process and subtractive process in one product. Our competitors will sell you
two different products, but we think you should just have to own one. We try to make
sure that you have everything that you need for managing identities and entitlements in
one product, everything that you need for managing privileged access in one product
and everything that a user might need to manage his own credentials in one product.
We don’t believe you should have to keep buying different products and adding on to get
what you need. It’s a different philosophy.
In his role as Chief Technology Officer, Idan Shoham is responsible for defining product
and technology strategy and the overall development of Hitachi ID Systems solutions.
Prior to founding Hitachi ID Systems in 1992, Idan provided network security consulting
services to large organizations such as Shell, Amoco, BP Canada and Talisman
Energy. Idan holds a Masters degree in Electrical and Computer Engineering. He is in
demand as a speaker for global security conferences, and was featured most recently
at the European Identity Conference in Munich, SC World Congress in New York and
SecureWorld Expo in Boston.
securerobe 